Windmill and Nextcloud Flow Missing Authorization Vulnerability Allowing Privilege Escalation and Remote Code Execution

A vulnerability in Windmill versions 1.56.0 prior to 1.614.0, and in Nextcloud Flow versions 1.0.0 prior to 1.2.2, allows users with the Operator role to bypass authorization restrictions and perform unauthorized actions through the backend API. Operators can exploit this vulnerability to create and modify entities such as scripts, flows, apps, and raw apps, despite documentation stating that their role does not permit such actions. This exploitation leads to privilege escalation and remote code execution within the Windmill deployment, as Operators can execute scripts via the jobs API.

Impact

Exploitation of this vulnerability allows Operators to create and modify entities, which is not permitted by their role. This unauthorized access extends to Windmill's job execution API, where injected scripts are executed with root privileges in the Windmill worker container.

Reproduction

The vulnerability can be reproduced by sending a request to the Windmill API's 'jobs_u' endpoint, which is publicly accessible without authentication. Operators can create a folder, exploit the SQL injection vulnerability to leak the 'jwt_secret' from the 'global_settings' table, and then forge a JWT token to gain super admin privileges. Once elevated, they can execute arbitrary code on the server.

Remediation

Users can update to Windmill version 1.615.0 and Nextcloud Flow version 1.3.0, both of which include patches for this vulnerability. However, organizations should also address the underlying architectural issues in Nextcloud Flow that allowed this vulnerability to be exploited.